multiple svchost.exe files

[David Nunley]

I have six instances of svchost.exe running as processes,
and suspect that some of these are virus installed. Using
the command Tasklist at the command prompt yields an
error message and doesn't work. How can I ascertain which
services are running under these various svchost.exe
files and delete ones I don't want?

Thanks,
David

WXP Home

 

[Rick \Nutcase\ Rogers]

Hi David,

Multiple svchosts are normal in WinXP, read up here:

A Description of Svchost.exe in Windows XP [Q314056]
http://support.microsoft.com/?kbid=314056

Also, tasklist is not a valid command in a WinXP Home system, so you
*should* be getting an error message.

Is there any other reason you suspect you may be infected? What does your
updated antivirus software say when you run a full system scan?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[Wesley VogelX]

David;
Tasklist.exe is available here:
http://www.computerhope.com/download/winxp.htm

After you download tasklist.exe make sure you locate copies in:
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache

To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Remember this helpful item; Type Tasklist /? and then press ENTER

 

[DNunley]

Thanks Rick. NAV does not identify any virus on my system, but RAV (on-line
scan) picked up two:

Ruledor.B about which I can find nothing
and Trojan DlDer.A which I'm sure came in when I was using Kaaza. I check
which processes are running quite frequently and have always had about 3
instances of svchost until this last week. The only difference on my PC is
about 60 MB less free RAM than is usual.

David

Hi David,

Multiple svchosts are normal in WinXP, read up here:

A Description of Svchost.exe in Windows XP [Q314056]
http://support.microsoft.com/?kbid=314056

Also, tasklist is not a valid command in a WinXP Home system, so you
*should* be getting an error message.

Is there any other reason you suspect you may be infected? What does your
updated antivirus software say when you run a full system scan?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I have six instances of svchost.exe running as processes,
and suspect that some of these are virus installed. Using
the command Tasklist at the command prompt yields an
error message and doesn't work. How can I ascertain which
services are running under these various svchost.exe
files and delete ones I don't want?

Thanks,
David

WXP Home

 

[Rick \Nutcase\ Rogers]

Hi David,

What folders are the bugs located in?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks Rick. NAV does not identify any virus on my system, but RAV (on-line
scan) picked up two:

Ruledor.B about which I can find nothing
and Trojan DlDer.A which I'm sure came in when I was using Kaaza. I check
which processes are running quite frequently and have always had about 3
instances of svchost until this last week. The only difference on my PC is
about 60 MB less free RAM than is usual.

David

Hi David,

Multiple svchosts are normal in WinXP, read up here:

A Description of Svchost.exe in Windows XP [Q314056]
http://support.microsoft.com/?kbid=314056

Also, tasklist is not a valid command in a WinXP Home system, so you
*should* be getting an error message.

Is there any other reason you suspect you may be infected? What does your
updated antivirus software say when you run a full system scan?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

I have six instances of svchost.exe running as processes,
and suspect that some of these are virus installed. Using
the command Tasklist at the command prompt yields an
error message and doesn't work. How can I ascertain which
services are running under these various svchost.exe
files and delete ones I don't want?

Thanks,
David

WXP Home

 

[DNunley]

Rick, these are the folders/path ID'ed with the final phrase identifying the
virus/worm.

C:\System Volume
Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP198\A0040146.ex
e->[wise.23]->(UPXW)->(ZipSfx)->setup.exe - Trojan:Win32/DlDer.A

C:\System Volume
Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP198\A0040146.ex
e->[wise.23]->(UPXW)->(ZipSfx)->dlder.exe - Trojan:Win32/DlDer.A



C:\WINDOWS\SYSTEM32\ClrSchP017.exe - Backdoor:Win32/Ruledor.B

C:\Program Files\ClearSearch\Loader.exe - Backdoor:Win32/Ruledor.B

Any help is greatly appreciated. Am thinking of using Pest Patrol to remove
these. Any comments?
David

Hi David,

What folders are the bugs located in?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Thanks Rick. NAV does not identify any virus on my system, but RAV (on-line
scan) picked up two:

Ruledor.B about which I can find nothing
and Trojan DlDer.A which I'm sure came in when I was using Kaaza. I check
which processes are running quite frequently and have always had about 3
instances of svchost until this last week. The only difference on my PC is
about 60 MB less free RAM than is usual.

David

Hi David,

Multiple svchosts are normal in WinXP, read up here:

A Description of Svchost.exe in Windows XP [Q314056]
http://support.microsoft.com/?kbid=314056

Also, tasklist is not a valid command in a WinXP Home system, so you
*should* be getting an error message.

Is there any other reason you suspect you may be infected? What does your
updated antivirus software say when you run a full system scan?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



I have six instances of svchost.exe running as processes,
and suspect that some of these are virus installed. Using
the command Tasklist at the command prompt yields an
error message and doesn't work. How can I ascertain which
services are running under these various svchost.exe
files and delete ones I don't want?

Thanks,
David

WXP Home

 

[Rick \Nutcase\ Rogers]

Hi,

You can ignore the first two, they are in a system restore folder, and
unless you load that restore point, they are harmless and will eventually be
deleted.

For the other two, start/run msinfo32, expand the software environment and
click on the startup programs. Locate the lines that load them and make note
of where they are loading from. This is where you will need to go to remove
the references. If you are unsure of how to proceed, please post back with
the startup locations.

Once you've disabled them and rebooted, you should be able locate the actual
infected files and delete them.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Rick, these are the folders/path ID'ed with the final phrase identifying the
virus/worm.

C:\System Volume
Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP198\A0040146.ex
e->[wise.23]->(UPXW)->(ZipSfx)->setup.exe - Trojan:Win32/DlDer.A

C:\System Volume
Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP198\A0040146.ex
e->[wise.23]->(UPXW)->(ZipSfx)->dlder.exe - Trojan:Win32/DlDer.A



C:\WINDOWS\SYSTEM32\ClrSchP017.exe - Backdoor:Win32/Ruledor.B

C:\Program Files\ClearSearch\Loader.exe - Backdoor:Win32/Ruledor.B

Any help is greatly appreciated. Am thinking of using Pest Patrol to remove
these. Any comments?
David

Hi David,

What folders are the bugs located in?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

PC

is

about 60 MB less free RAM than is usual.

David
Hi David,

Multiple svchosts are normal in WinXP, read up here:

A Description of Svchost.exe in Windows XP [Q314056]
http://support.microsoft.com/?kbid=314056

Also, tasklist is not a valid command in a WinXP Home system, so you
*should* be getting an error message.

Is there any other reason you suspect you may be infected? What does your
updated antivirus software say when you run a full system scan?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



I have six instances of svchost.exe running as processes,
and suspect that some of these are virus installed. Using
the command Tasklist at the command prompt yields an
error message and doesn't work. How can I ascertain which
services are running under these various svchost.exe
files and delete ones I don't want?

Thanks,
David

WXP Home

 

[DNunley]

Rick,
No file related to this clearsearch/loader.exe appears in the Startup
programs. However, running a utility which identifies startups yields the
following registry entry as "properties" of C:\Program
Files\ClearSearch\Loader.exe so I guess this thing is loading from the
registry. <HKEY_LOCAL MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run-> Do I edit the registry to delete this altogether?

Thanks for your help, Dave
*************************************

Hi,

You can ignore the first two, they are in a system restore folder, and
unless you load that restore point, they are harmless and will eventually be
deleted.

For the other two, start/run msinfo32, expand the software environment and
click on the startup programs. Locate the lines that load them and make note
of where they are loading from. This is where you will need to go to remove
the references. If you are unsure of how to proceed, please post back with
the startup locations.

Once you've disabled them and rebooted, you should be able locate the actual
infected files and delete them.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Rick, these are the folders/path ID'ed with the final phrase identifying the
virus/worm.

C:\System Volume

Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP198\A0040146.ex

e->[wise.23]->(UPXW)->(ZipSfx)->setup.exe - Trojan:Win32/DlDer.A

C:\System Volume

Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP198\A0040146.ex

e->[wise.23]->(UPXW)->(ZipSfx)->dlder.exe - Trojan:Win32/DlDer.A



C:\WINDOWS\SYSTEM32\ClrSchP017.exe - Backdoor:Win32/Ruledor.B

C:\Program Files\ClearSearch\Loader.exe - Backdoor:Win32/Ruledor.B

Any help is greatly appreciated. Am thinking of using Pest Patrol to remove
these. Any comments?
David

Hi David,

What folders are the bugs located in?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Thanks Rick. NAV does not identify any virus on my system, but RAV
(on-line
scan) picked up two:

Ruledor.B about which I can find nothing
and Trojan DlDer.A which I'm sure came in when I was using Kaaza. I check
which processes are running quite frequently and have always had

about

3

instances of svchost until this last week. The only difference on my

PC

is
about 60 MB less free RAM than is usual.

David
Hi David,

Multiple svchosts are normal in WinXP, read up here:

A Description of Svchost.exe in Windows XP [Q314056]
http://support.microsoft.com/?kbid=314056

Also, tasklist is not a valid command in a WinXP Home system, so you
*should* be getting an error message.

Is there any other reason you suspect you may be infected? What does
your
updated antivirus software say when you run a full system scan?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



I have six instances of svchost.exe running as processes,
and suspect that some of these are virus installed. Using
the command Tasklist at the command prompt yields an
error message and doesn't work. How can I ascertain which
services are running under these various svchost.exe
files and delete ones I don't want?

Thanks,
David

WXP Home

 

[DNunley]

Rick,



Using msinfo32, there is no reference to the infected file in the startup
programs list. However, I ran a utility which identifies startup programs
and it described the following registry entry under "properties" of
C:\Program Files\ClearSearch\Loader.exe



HKEY_LOCAL MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run-



It would seem this is loading directly from the registry. Can I just delete
the files which appear in this registry entry to get the thing off my
system?



Many thanks for your help..David

Hi,

You can ignore the first two, they are in a system restore folder, and
unless you load that restore point, they are harmless and will eventually be
deleted.

For the other two, start/run msinfo32, expand the software environment and
click on the startup programs. Locate the lines that load them and make note
of where they are loading from. This is where you will need to go to remove
the references. If you are unsure of how to proceed, please post back with
the startup locations.

Once you've disabled them and rebooted, you should be able locate the actual
infected files and delete them.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Rick, these are the folders/path ID'ed with the final phrase identifying the
virus/worm.

C:\System Volume

Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP198\A0040146.ex

e->[wise.23]->(UPXW)->(ZipSfx)->setup.exe - Trojan:Win32/DlDer.A

C:\System Volume

Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP198\A0040146.ex

e->[wise.23]->(UPXW)->(ZipSfx)->dlder.exe - Trojan:Win32/DlDer.A



C:\WINDOWS\SYSTEM32\ClrSchP017.exe - Backdoor:Win32/Ruledor.B

C:\Program Files\ClearSearch\Loader.exe - Backdoor:Win32/Ruledor.B

Any help is greatly appreciated. Am thinking of using Pest Patrol to remove
these. Any comments?
David

Hi David,

What folders are the bugs located in?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



Thanks Rick. NAV does not identify any virus on my system, but RAV
(on-line
scan) picked up two:

Ruledor.B about which I can find nothing
and Trojan DlDer.A which I'm sure came in when I was using Kaaza. I check
which processes are running quite frequently and have always had

about

3

instances of svchost until this last week. The only difference on my

PC

is
about 60 MB less free RAM than is usual.

David
Hi David,

Multiple svchosts are normal in WinXP, read up here:

A Description of Svchost.exe in Windows XP [Q314056]
http://support.microsoft.com/?kbid=314056

Also, tasklist is not a valid command in a WinXP Home system, so you
*should* be getting an error message.

Is there any other reason you suspect you may be infected? What does
your
updated antivirus software say when you run a full system scan?

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone



I have six instances of svchost.exe running as processes,
and suspect that some of these are virus installed. Using
the command Tasklist at the command prompt yields an
error message and doesn't work. How can I ascertain which
services are running under these various svchost.exe
files and delete ones I don't want?

Thanks,
David

WXP Home